Every incisive query into network traffic data needs to be anchored, or keyed, on some field. This is, essentially, the pivot field. Pivoting on the right field is crucial -- I've seen inexperienced analysts spend days mired in data that is off-topic and non-covergent. In some cases, simply changing their pivot vantage point results in an answer/convergence in a matter of minutes.
For example, consider the simple case of a malicious binary download detected in proxy logs. If we want to understand what else the client endpoint was doing around the time of the download, we would pivot on source IP address and search a variety of different data sources keyed on source IP address during the given time period. If we want to quickly assess who else may have also downloaded the malicious binary, we would pivot on domain and/or URL.
Naturally, these are simple pivots, but the point is a good one. Take care to use the right pivot. Otherwise, the results may be confusing, divergent, and inconclusive.
Friday, June 1, 2012
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment